com.google.auth.oauth2

Class ServiceAccountCredentials

java.lang.Object

com.google.auth.Credentials

com.google.auth.oauth2.OAuth2Credentials

com.google.auth.oauth2.GoogleCredentials

com.google.auth.oauth2.ServiceAccountCredentials

All Implemented Interfaces:

ServiceAccountSigner, Serializable

public class ServiceAccountCredentials
extends GoogleCredentials
implements ServiceAccountSigner

OAuth2 credentials representing a Service Account for calling Google APIs.

By default uses a JSON Web Token (JWT) to fetch access tokens.

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	ServiceAccountCredentials.Builder

Nested classes/interfaces inherited from class com.google.auth.oauth2.OAuth2Credentials

OAuth2Credentials.CredentialsChangedListener

Nested classes/interfaces inherited from interface com.google.auth.ServiceAccountSigner

ServiceAccountSigner.SigningException

Constructor Summary

Constructors

Constructor and Description
ServiceAccountCredentials(String clientId, String clientEmail, PrivateKey privateKey, String privateKeyId, Collection<String> scopes) Deprecated.
ServiceAccountCredentials(String clientId, String clientEmail, PrivateKey privateKey, String privateKeyId, Collection<String> scopes, HttpTransportFactory transportFactory, URI tokenServerUri) Deprecated.

Method Summary

Modifier and Type	Method and Description
GoogleCredentials	createDelegated(String user) If the credentials support domain-wide delegation, creates a copy of the identity so that it impersonates the specified user; otherwise, returns the same instance.
GoogleCredentials	createScoped(Collection<String> newScopes) Clones the service account with the specified scopes.
boolean	createScopedRequired() Returns whether the scopes are empty, meaning createScoped must be called before use.
boolean	equals(Object obj)
static ServiceAccountCredentials	fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes) Factory with minimum identifying information using PKCS#8 for the private key.
static ServiceAccountCredentials	fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, HttpTransportFactory transportFactory, URI tokenServerUri) Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
static ServiceAccountCredentials	fromPkcs8(String clientId, String clientEmail, String privateKeyPkcs8, String privateKeyId, Collection<String> scopes, HttpTransportFactory transportFactory, URI tokenServerUri, String serviceAccountUser) Factory with minimum identifying information and custom transport using PKCS#8 for the private key.
static ServiceAccountCredentials	fromStream(InputStream credentialsStream) Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.
static ServiceAccountCredentials	fromStream(InputStream credentialsStream, HttpTransportFactory transportFactory) Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.
String	getAccount()
String	getClientEmail()
String	getClientId()
PrivateKey	getPrivateKey()
String	getPrivateKeyId()
String	getProjectId()
Collection<String>	getScopes()
String	getServiceAccountUser()
int	hashCode()
static ServiceAccountCredentials.Builder	newBuilder()
AccessToken	refreshAccessToken() Refreshes the OAuth2 access token by getting a new access token using a JSON Web Token (JWT).
byte[]	sign(byte[] toSign)
ServiceAccountCredentials.Builder	toBuilder()
String	toString()

Methods inherited from class com.google.auth.oauth2.GoogleCredentials

getApplicationDefault, getApplicationDefault, of

Methods inherited from class com.google.auth.oauth2.OAuth2Credentials

addChangeListener, getAccessToken, getAuthenticationType, getFromServiceLoader, getRequestMetadata, getRequestMetadata, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, toStringHelper

Methods inherited from class com.google.auth.Credentials

blockingGetToCallback, getRequestMetadata

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

ServiceAccountCredentials

@Deprecated
public ServiceAccountCredentials(String clientId,
                                             String clientEmail,
                                             PrivateKey privateKey,
                                             String privateKeyId,
                                             Collection<String> scopes)

Deprecated.

Constructor with minimum identifying information.

Parameters:

clientId - Client ID of the service account from the console. May be null.

clientEmail - Client email address of the service account from the console.

privateKey - RSA private key object for the service account.

privateKeyId - Private key identifier for the service account. May be null.

scopes - Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.

ServiceAccountCredentials

@Deprecated
public ServiceAccountCredentials(String clientId,
                                             String clientEmail,
                                             PrivateKey privateKey,
                                             String privateKeyId,
                                             Collection<String> scopes,
                                             HttpTransportFactory transportFactory,
                                             URI tokenServerUri)

Deprecated.

Constructor with minimum identifying information and custom HTTP transport.

Parameters:

clientId - Client ID of the service account from the console. May be null.

clientEmail - Client email address of the service account from the console.

privateKey - RSA private key object for the service account.

privateKeyId - Private key identifier for the service account. May be null.

scopes - Scope strings for the APIs to be called. May be null or an empty collection, which results in a credential that must have createScoped called before use.

transportFactory - HTTP transport factory, creates the transport used to get access tokens.

tokenServerUri - URI of the end point that provides tokens.

Method Detail

fromPkcs8

public static ServiceAccountCredentials fromPkcs8(String clientId,
                                                  String clientEmail,
                                                  String privateKeyPkcs8,
                                                  String privateKeyId,
                                                  Collection<String> scopes)
                                           throws IOException

Factory with minimum identifying information using PKCS#8 for the private key.

Parameters:

clientId - Client ID of the service account from the console. May be null.

clientEmail - Client email address of the service account from the console.

privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.

privateKeyId - Private key identifier for the service account. May be null.

scopes - Scope strings for the APIs to be called. May be null or an emptt collection, which results in a credential that must have createScoped called before use.

Throws:

IOException

fromPkcs8

public static ServiceAccountCredentials fromPkcs8(String clientId,
                                                  String clientEmail,
                                                  String privateKeyPkcs8,
                                                  String privateKeyId,
                                                  Collection<String> scopes,
                                                  HttpTransportFactory transportFactory,
                                                  URI tokenServerUri)
                                           throws IOException

Factory with minimum identifying information and custom transport using PKCS#8 for the private key.

Parameters:

clientId - Client ID of the service account from the console. May be null.

clientEmail - Client email address of the service account from the console.

privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.

privateKeyId - Private key identifier for the service account. May be null.

scopes - Scope strings for the APIs to be called. May be null or an emptt collection, which results in a credential that must have createScoped called before use.

transportFactory - HTTP transport factory, creates the transport used to get access tokens.

tokenServerUri - URI of the end point that provides tokens.

Throws:

IOException

fromPkcs8

public static ServiceAccountCredentials fromPkcs8(String clientId,
                                                  String clientEmail,
                                                  String privateKeyPkcs8,
                                                  String privateKeyId,
                                                  Collection<String> scopes,
                                                  HttpTransportFactory transportFactory,
                                                  URI tokenServerUri,
                                                  String serviceAccountUser)
                                           throws IOException

Factory with minimum identifying information and custom transport using PKCS#8 for the private key.

Parameters:

clientId - Client ID of the service account from the console. May be null.

clientEmail - Client email address of the service account from the console.

privateKeyPkcs8 - RSA private key object for the service account in PKCS#8 format.

privateKeyId - Private key identifier for the service account. May be null.

scopes - Scope strings for the APIs to be called. May be null or an emptt collection, which results in a credential that must have createScoped called before use.

transportFactory - HTTP transport factory, creates the transport used to get access tokens.

tokenServerUri - URI of the end point that provides tokens.

serviceAccountUser - The email of the user account to impersonate, if delegating domain-wide authority to the service account.

Throws:

IOException

fromStream

public static ServiceAccountCredentials fromStream(InputStream credentialsStream)
                                            throws IOException

Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.

Parameters:

credentialsStream - the stream with the credential definition.

Returns:

the credential defined by the credentialsStream.

Throws:

IOException - if the credential cannot be created from the stream.

fromStream

public static ServiceAccountCredentials fromStream(InputStream credentialsStream,
                                                   HttpTransportFactory transportFactory)
                                            throws IOException

Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.

Parameters:

credentialsStream - the stream with the credential definition.

transportFactory - HTTP transport factory, creates the transport used to get access tokens.

Returns:

the credential defined by the credentialsStream.

Throws:

IOException - if the credential cannot be created from the stream.

refreshAccessToken

public AccessToken refreshAccessToken()
                               throws IOException

Refreshes the OAuth2 access token by getting a new access token using a JSON Web Token (JWT).

Overrides:

refreshAccessToken in class OAuth2Credentials

Throws:

IOException - from derived implementations

createScopedRequired

public boolean createScopedRequired()

Returns whether the scopes are empty, meaning createScoped must be called before use.

Overrides:

createScopedRequired in class GoogleCredentials

createScoped

public GoogleCredentials createScoped(Collection<String> newScopes)

Clones the service account with the specified scopes.

Should be called before use for instances with empty scopes.

Overrides:

createScoped in class GoogleCredentials

createDelegated

public GoogleCredentials createDelegated(String user)

Description copied from class: GoogleCredentials

If the credentials support domain-wide delegation, creates a copy of the identity so that it impersonates the specified user; otherwise, returns the same instance.

Overrides:

createDelegated in class GoogleCredentials

getClientId

public final String getClientId()

getClientEmail

public final String getClientEmail()

getPrivateKey

public final PrivateKey getPrivateKey()

getPrivateKeyId

public final String getPrivateKeyId()

getScopes

public final Collection<String> getScopes()

getServiceAccountUser

public final String getServiceAccountUser()

getProjectId

public final String getProjectId()

getAccount

public String getAccount()

Specified by:

getAccount in interface ServiceAccountSigner

sign

public byte[] sign(byte[] toSign)

Specified by:

sign in interface ServiceAccountSigner

hashCode

public int hashCode()

Overrides:

hashCode in class OAuth2Credentials

toString

public String toString()

Overrides:

toString in class OAuth2Credentials

equals

public boolean equals(Object obj)

Overrides:

equals in class OAuth2Credentials

newBuilder

public static ServiceAccountCredentials.Builder newBuilder()

toBuilder

public ServiceAccountCredentials.Builder toBuilder()

Overrides:

toBuilder in class GoogleCredentials